Add VULNERABILITY_COMMENT role

[dshafranskiy-r7]

Current Behavior

Currently there is only one Permission VULNERABILITY_ANALYSIS when it comes to handling vulnerabilities.
It includes Commenting out, Supressing and changing Triage status.

Proposed Behavior

As a big organization we would like to have a separation of duties when it comes to suppressing and setting vulnerabilities as False Positives.
Ideally there would be 2 different roles:

• developer with VULNERABILITY_COMMENT role - who can comment out on the vulnerabilities (with proof why issue is FP or Service Now ticket number)
• security team member with VULNERABILITY_ANALYSIS who would suppress and set those issues as FP's.

Request is to add new role that would not allow developer to change Vulnerability status but to comment out on vulnerabilities.

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this enhancement was already requested

[VinodAnandan]

Hi @dshafranskiy-r7 Thank you for raising this issue. It looks like a valuable feature! Would you be interested in contributing to its development?

[dshafranskiy-r7]

Hello @VinodAnandan definitely I can give a try.
Is there a Documentation Roles matrix that would reference scope for each role ?
Probably I would start from there.

Also should it utilize same method updateAnalysis and just limit update fields or extract to a separate method updateComment and extract that call to a new method ?

Thank you.